Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT Rules

Hi all,

At present I'm installing a ASA firewall between my 2811 router and the network.

The router at the moment has an internal ip address of 192.9.200.253 and has NAT rules set up. The 192.9.200.254 address is that of our exchange server. My question is this. If I change the internal interface of the router to 10.10.10.10 and the external interface of the ASA to 10.10.10.11 and the internal interface of the ASA has the 192.9.200.253 address, what do I do about the NAT rules?

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip nat inside source static tcp 192.9.200.254 25 *.*.*.*25 route-map Deny-VPN extendable

ip nat inside source static tcp 192.9.200.254 80 *.*.*.* 80 route-map Deny-VPN extendable

ip nat inside source static tcp 192.9.200.254 143 *.*.*.* 143 route-map Deny-VPN extendable

!

ip access-list extended Deny-VPN

permit ip 192.9.200.0 0.0.1.255 6.0.0.0 0.0.255.255

access-list 105 remark SDM_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny   ip 192.9.200.0 0.0.0.255 6.0.0.0 0.0.255.255

access-list 105 deny   ip 192.9.200.0 0.0.1.255 172.31.0.0 0.0.255.255

access-list 105 permit ip 192.9.200.0 0.0.0.255 any

!

route-map Deny-VPN deny 10

match ip address Deny-VPN

!

route-map SDM_RMAP_1 permit 1

match ip address 105

!

I've attached the complete config below

Regards

Egg

1 REPLY
Community Member

Re: NAT Rules

Hello,

I am not sure of your exact concern and the design here looks a little, "different" but hey, thats none of my business. Let me see if my assumption is correct. you have:   internet>2811>ASA>LAN. If this is correct you will continue to terminate the VPN on the 2811 but your not sure if these NAT rules need to move to the ASA or not?   You can but you dont have to. If you leave the NAT statements how and where they are, the incoming requests (ports 25,80,143) will hit your public IP on the 2811 (which is not changing according to my assumption), NAT to 192.2.200.254, and as long as you have a route in the 2811 (192.9.200.0 255.255.255.0 10.10.10.11), and the correct routes in the ASA (X.X.X.X X.X.X. 10.10.10.10), all should work well. However, if you do it this way you cant be doing NAT on the ASA for this network (192.9.200.0/24). There shouldnt be a problem with your internet NAT on the 2811 either because as long as you dont NAT on the ASA, packets will remain sourced from 192.9.200.x when they arrive at the 2811 and hence be processed by NAT in the 2811. If you have to NAT in the ASA then include this subnet in your  "no nat (nat0)" statements.

Hope this helps.

281
Views
0
Helpful
1
Replies
CreatePlease to create content